Target IP: 10.10.175.30
Help Sebastian and his team of investigators to withstand the dangers that come ahead.
There are three TCP ports open on the target machine: FTP, SSH, and HTTP.
The Ubuntu target machine is running the following:
ProFTPD 1.3.5a FTP on port 21.OpenSSH 7.2p2 SSH on port 22.Apache httpd 2.4.18 HTTP on port 80.Port 80: HTTP
The webpage above is displayed for this web application.
The source-code of this webpage contains the hidden directory /sadistRoom at line fourteen. There is also a username called Sebastian.
Browsing to /sadistRoom displays the webpage above. Clicking the here button outputs the key 532219a04ab7a02b56faafbec1a4c1ea to another page. Using that key, I gained access to another webpage when it prompted me to enter it.
The Locker Room webpage above is displayed once I entered the key. The goal is to decode the ciphertext Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv.
Using an online Atbash Cipher Tool website, I obtained the plaintext Grant_me_access_to_the_map_please after decoding the ciphertext Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv.
After entering the key, the webpage above is shown. The Safe Heaven page contains a hint when the source-code is viewed.
Performing a scan against this /SafeHeaven directory shows another hidden directory called /keeper.
Browsing to /keeper shows the webpage above. Pressing the Escape Keeper displays another page.
Doing a Google search for this image shows it is St. Augustine Lighthouse. After inputting this text, I obtain the key 48ee41458eb0b43bf82b986cecf3af01.
Inputting this key at The Abandoned Room using map.php displays the webpage above. Pressing the Go Further button displays the webpage below.
A timer starts and the source-code of the webpage contains a hint shell. Looks like certain commands are blocked.
Using ls .. shows the two interesting directories highlighted above.
I replaced the directory with one of the directories found using ls and obtained the webpage above. The file helpme.zip contains two files: helpme.txt and Table.jpg.
The helpme.txt contains a message stating the file Table.jpg contains hidden data. Using binwalk, I extracted the hidden data Joseph_0da.jpg and key.wav inside the image.
The wav file contains morse code data. Using an online morse code decoder, I obtained the message showme inside this audio file.
Using this new key, I obtained the hidden data inside Joseph_0da.jpg file. Now I have the credentials joseph:intotheterror445 of the FTP application.
There are two more interesting files program and random.dic when I logged into the FTP application.
I tried the different possible passwords from the random.dic file against the program. It worked when I used kidman. I have to decode 55 444 3 6 2 66 7777 7 2 7777 7777 9 666 777 3 444 7777 7777 666 7777 8 777 2 66 4 33.
After Googling the numbers, I decoded it using Multi-Tap Phone (SMS) and obtained the string KIDMANSPASSWORDISSOSTRANGE. This password looks like an SSH password.
Using the credentials kidman:KIDMANSPASSWORDISSOSTRANGE I gained a foothold on the target machine using SSH.
There are two interesting files on this user's directory, as shown above.
Running find / -writable -type f 2>/dev/null shows the interesting file entries above that this user has access to.
There is an interesting cronjob called the_eye_of_ruvik.py. I also have write privileges over this file as the current user, so I can put my reverse shell script inside it.
I started a listener on port 8443. I put my Python reverse shell script inside this the_eye_of_ruvik.py Python file. Then after some time, I gained a root reverse shell connection on port 8443. Game over. But there is still one task left after obtaining the root.txt: defeat ruvik.
And that's a wrap. GG.
The user.txt flag once I gained a foothold on the target machine.
The root.txt flag after exploiting the weak configuration cronjob script. There is only one task left: defeat ruvik.